On Bounding Problems of Quantitative 
Information Flow* 



Hirotoshi Yasuoka 1 and Tachio Terauchi 2 

1 Tohoku University 

y asuokaOkb .ecei.tohoku. ac.jp 

2 Nagoya University 
terauchi@is .nagoya-u. ac . jp 



Abstract. Researchers have proposed formal definitions of quantitative 
information flow based on information theoretic notions such as the Shan- 
non entropy, the min entropy, the guessing entropy, belief, and channel 
capacity. This paper investigates the hardness of precisely checking the 
quantitative information flow of a program according to such definitions. 
More precisely, we study the "bounding problem" of quantitative infor- 
mation flow, defined as follows: Given a program M and a positive real 
number q, decide if the quantitative information flow of M is less than 
or equal to q. We prove that the bounding problem is not a fc-safety 
property for any k (even when q is fixed, for the Shannon-entropy-based 
definition with the uniform distribution), and therefore is not amenable 
to the self-composition technique that has been successfully applied to 
checking non-interference. We also prove complexity theoretic hardness 
results for the case when the program is restricted to loop-free boolean 
programs. Specifically, we show that the problem is PP-hard for all defi- 
nitions, showing a gap with non-interference which is coNP-complete for 
the same class of programs. The paper also compares the results with 
the recently proved results on the comparison problems of quantitative 
information flow. 
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1 Introduction 

We consider programs containing high security inputs and low security outputs. 
Informally, the quantitative information flow problem concerns the amount of 
information that an attacker can learn about the high security input by executing 
the program and observing the low security output. The problem is motivated 
by applications in information security. We refer to the classic by Denning [12] 
for an overview. 

In essence, quantitative information flow measures how secure, or insecure, 
a program (or a part of a program -e.g., a variable-) is. Thus, unlike non- 
interference [10,13], that only tells whether a program is completely secure or 
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not completely secure, a definition of quantitative information flow must be able 
to distinguish two programs that are both interferent but have different degrees 
of "secureness." 

For example, consider the following programs. 

Mi = if H = g then O := else O := f 

M 2 =0 := H 

In both programs, H is a high security input and O is a low security output. 
Viewing H as a password, Mi is a prototypical login program that checks if 
the guess g matches the password. 3 By executing Ml, an attacker only learns 
whether H is equal to g, whereas she would be able to learn the entire content of 
H by executing M 2 . Hence, a reasonable definition of quantitative information 
flow should assign a higher quantity to Mi than to Mi , whereas non-intcrfcrcncc 
would merely say that Mi and Mi are both interferent, assuming that there are 
more than one possible values of H . 

Researchers have attempted to formalize the definition of quantitative infor- 
mation flow by appealing to information theory. This has resulted in definitions 
based on the Shannon entropy [12,7,19], the min entropy [28], the guessing en- 
tropy [17,1], belief [8], and channel capacity [22,20,26]. All of these definitions 
map a program (or a part of a program) onto a non-negative real number, that 
is, they define a function X such that given a program M, X(M) is a non- 
negative real number. (Concretely, X is SE[/j] for the Shannon-entropy-based 
definition with the distribution [i, ME[/j] for the min-entropy- based definition 
with the distribution fi, GE{fi] for the guessing-entropy-based definition with the 
distribution fi, and CC for the channel-capacity-based definition. 4 ) Therefore, a 
natural verification problem for quantitative information flow is to decide, given 
M and a quantity q > 0, if X(M) < q. The problem is well-studied for the case 
q = as it is actually equivalent to checking non-interference (cf. Section 2.1). 
The problem is open for q > . We call this the bounding problem of quantitative 
information flow. 

The problem has a practical relevance as a user is often interested in know- 
ing if her program leaks information within some allowed bound. That is, the 
bounding problem is a form of quantitative information flow checking problem 
(as opposed to inference). Much of the previous research has focused on infor- 
mation theoretic properties of quantitative information flow and approximate 
(i.e., incomplete and/or unsound) algorithms for checking and inferring quanti- 
tative information flow. To fill the void, in a recent work [32], we have studied 
the hardness and possibilities of deciding the comparison problem of quantitative 
information flow, which is the problem of precisely checking if the information 
flow of one program is larger than that of the other, that is, the problem of 
deciding if X (Mi) < X(M 2 ) given programs Mi and M 2 . The study has lead to 

3 Here, for simplicity, we assume that g is a program constant. See Section 2 for 
modeling attacker/user (i.e., low security) inputs. 

4 The belief-based definition takes additional parameters as inputs, and is discussed 
below. 



some remarkable results, summarized in Section 3 and Section 4 of this paper 
to contrast with the new results on the bounding problem. However, the hard- 
ness results on the comparison problem do not imply hardness of the bounding 
problem. 5 Thus, this paper settles the open question. 

We summarize the main results of the paper below. Here, X is SE[U], ME[U], 
GE[U] or CC, where U is the uniform distribution. 

— Checking if X{M) <q\s not a fc-safety property [29, 9] for any fc. 

— Restricted to loop-free boolean programs, checking if X(M) < q is PP-hard. 

Roughly, a verification problem being fc-safety means that it can be reduced to 
a standard safety problem, such as the unreachability problem, via self composi- 
tion [3, 11]. For instance, non-interference is a 2-safety property (technically, for 
the termination- insensitive case 6 ), and this has enabled its precise checking via 
a reduction to a safety problem via self composition and applying automated 
safety verification techniques [29,25,31]. Also, our recent work [32] has shown 
that deciding the comparison problem of quantitative information flow for all 
distributions (i.e., checking if y^SE^Mx) < SE[n\{M 2 ), V//.ME[/i](Mi) < 
ME{n}(M 2 ), Vn.GE[ii\{M x ) < GE[ l j\{M 2 ), and V/i.VM.B£[(/i,M)](Mi) < 
BE[(/j,, h, £)}(M2) 7 ) are 2-safety problems (and in fact, all equivalent). 

We also prove a complexity theoretic gap with these related problems. We 
have shown in the previous paper [32] that, for loop-free boolean programs, both 
checking non-interference and the above comparison problem with universally 
quantified distributions are coNP-complete. (PP is believed to be strictly harder 
than coNP. In particular, coNP = PP implies the collapse of the polynomial 
hierarchy to level 1.) 

Therefore, the results suggest that the bounding problems of quantitative in- 
formation flow are harder than the related problems of checking non-interference 
and the quantitative information flow comparison problems with universally 
quantified distributions, and may require different techniques to solve (i.e., not 
self composition). 

The belief-based quantitative information flow [8] differs from the definitions 
above in that it focuses on the information flow from a particular execution 
of the program (called experiment) rather than the information flow from all 

5 But, they imply the hardness of the inference problem because we can compare 
X(Mi) and X{M2) once we have computed them. We also note that the hardness 
of the bounding problems implies that of the comparison problems because we can 
reduce the bounding problem X(M) < q to a comparison problem that compares 
M with a program whose information flow is q. (But, the reverse direction does not 
hold.) 

6 We restrict to terminating programs in this paper. (The termination assumption is 
nonrestrictive because we assume safety verification as a blackbox routine.) 

7 See below for the notation BE[(n,h,£)](M) denoting the belief-based quantitative 
information flow of M with respect to the experiment (jj,,h,£). The result for the 
belief-based definition is proven in the extended version of the paper that is under 
submission [33]. 



executions of the program. 8 Therefore, we define and study the hardness of two 
types of bounding problems for the belief-based definition: 

(1) BE[(n, h,£)](M) < q 

(2) \/h,lBE[(n,h,e)](M) < q 

Here, BE[([i,h,£)}(M) denotes the belief-based information flow of M with the 
experiment (/x, h, £) where h, £ are the particular (high-security and low-security) 
inputs. Note that the problem (2) checks the bound of the belief-based quanti- 
tative information flow for all inputs whereas (1) checks the information flow for 
a particular input. This paper proves that neither of these problems are fc-safety 
for any fc, and are PP-hard for loop-free boolean programs. 

We note that the above results are for the case the quantity q is taken to be 
an input to the bounding problems. We show that when fixing the parameter 
q constant, some of the problems become fc-safety under certain conditions for 
different fc's (cf. Section 3.1, 3.2, and 3.3). 

We also define and study the hardness of the following bounding problems 
that check the bound over all distributions. 

(1) Vfj,-SE\p\(M) < q 

(2) \//j,.ME[pi](M) < q 

(3) V/i. (M) < q 

(4) \/ti.BE[(iJi,h,e)}(M)<q 

(5) Vii,h,t.BE[{n,h,e)](M) < q 

We show that except for (4) and (5), these problems are also not fc-safety for 
any fc, and are PP-hard for loop-free boolean programs, when q is not a constant 
(but are fc-safety for various fc's when q is held constant). For the problems (4) 
and (5), we show that the problems are actually equivalent to that of checking 
non-interference. (1), (2), and (3) are proven by showing that the problems corre- 
spond to various "channel capacity like" definitions of quantitative information 
flow. 

The rest of the paper is organized as follows. Section 2 reviews the existing 
information-theoretic definitions of quantitative information flow and formally 
defines the bounding problems. Section 3 proves that the bounding problems are 
not fc-safety problems for SE[U], ME[U], GE[U], and CC. (Section 3.1 shows 
that when fixing the parameter q constant, some of them become fc-safety under 
certain conditions for different fc's.) Section 3.2 shows fc-safety results for the 
belief-based bounding problems, and Section 3.3 shows fc-safety results for the 
bounding problems that check the bound for all distributions. Section 4 proves 
complexity theoretic hardness results for the bounding problems for loop-free 
boolean programs for SE[U], ME[U], GE[U], and CC, and Section 4.1 proves 
those for the belief-based bounding problems and the bounding problems that 

8 Clarkson et. al. [8] also propose a definition which averages the quantitative infor- 
mation flow over a distribution of the inputs h and I. Note that a hardness result 
for (1) below implies the hardness result of the bounding problem for this problem 
as we may take the distribution to be a point mass. 



check the bound for all distributions. Section 5 discusses some implications of 
the hardness results. Section 6 discusses related work, and Section 7 concludes. 
All the proofs appear in Appendix A. 

2 Preliminaries 

We introduce the information theoretic definitions of quantitative information 
flow that have been proposed in literature. First, we review the notion of the 
Shannon entropy [27], H[n](X), which is the average of the information content, 
and intuitively, denotes the uncertainty of the random variable X. 

Definition 1 (Shannon Entropy). Let X be a random variable with sam- 
ple space X and fi be a probability distribution associated with X. (We write \i 
explicitly for clarity.) The Shannon entropy of X is defined as 

n\ M ] { x) = ^ { x = x) io glI( ^— j 

(The logarithm is in base 2.) 

Next, we define conditional entropy. Informally, the conditional entropy of X 
given Y denotes the uncertainty of X after knowing Y . 

Definition 2 (Conditional Entropy). Let X andY be random variables with 
sample spaces X and Y, respectively, and fi be a probability distribution associated 
with X and Y. Then, the conditional entropy of X given Y, written H[/j](X\Y) 
is defined as 

H\M]{X\Y) = 52n{Y = y)H\n](X\Y = y) 

where 

%WX\Y = y) = E, e xM(A =x\Y = y) log ^ x J x{Y=y) 
M (A = x\Y = y) = ^ X = Y %J y) 

Next, we define (conditional) mutual information. Intuitively, the conditional 
mutual information of X and Y given Z represents the mutual dependence of 
X and Y after knowing Z. 

Definition 3 (Mutual Information). Let X,Y and Z be random variables 
and n be an associated probability distribution. 9 Then, the conditional mutual 
information of X and Y given Z is defined as 

I\M](X;Y\Z) = H[fi](X\Z) - H[n] (X\Y, Z) 
= nlv}(Y\Z)-HM(Y\X,Z) 



9 We abbreviate the sample spaces of random variables when they are clear from the 
context. 



Let M be a program that takes a high security input H and a low security 
input L, and gives the low security output O. For simplicity, we restrict to 
programs with just one variable of each kind, but it is trivial to extend the 
formalism to multiple variables (e.g., by letting the variables range over tuples). 
Also, for the purpose of the paper, unobservable (i.e., high security) outputs are 
irrelevant, and so we assume that the only program output is the low security 
output. Let fi be a probability distribution over the values of H and L. Then, 
the semantics of M can be defined by the following probability equation. (We 
restrict to terminating deterministic programs in this paper.) 

fi(0 = o)= v(H = h,L = £) 

M{h,t) = o 

Note that we write M(h,£) to denote the low security output of the program 
M given inputs h and £. Now, we are ready to introduce the Shannon-entropy 
based definition of quantitative information flow (QIF) [12, 7, 19]. 

Definition 4 (Shannon-Entropy-based QIF). Let M be a program with a 
high security input H, a low security input L, and a low security output O. Let 
[i be a distribution over H and L. Then, the Shannon-entropy-based quantitative 
information flow is defined 

SE[ IJ ](M)=l[ l i](0;H\L) 

= HM(H\L)-n[i4(H\0,L) 

Intuitively, %\}j\(H\L) denotes the initial uncertainty knowing the low security 
input and H[[j,](H\0, L) denotes the remaining uncertainty after knowing the 
low security output. 

As an example, consider the programs Mi and M 2 from Section 1. For 
concreteness, assume that g is the value 01 and H ranges over the space 
{00, 01, 10, 11}. Let U be the uniform distribution over {00, 01, 10, 11}, that is, 
U{h) = 1/4 for all h e {00, 01, 10, 11}. Computing their Shannon-entropy based 
quantitative information flow, we have, 



SE[U](M!) = H[U]{H) - H[U](H\0) = log 4 - flog 3 w .81128 
SE[U}(M 2 ) = H[U}(H) - n[U}(H\0) = log 4 - logl = 2 

Hence, if the user was to ask if SE[U](Mi) < 1.0, that is, "does Mi leak more 
than one bit of information (according to SE[U])T\ then the answer would be 
no. But, for the same query, the answer would be yes for M 2 . 

Next, we introduce the min entropy, which Smith [28] recently suggested as 
an alternative measure for quantitative information flow. 

Definition 5 (Min Entropy). Let X and Y be random variables, and fi be an 
associated probability distribution. Then, the min entropy of X is defined 

H O0 \M](X)=]og ' 



and the conditional min entropy of X given Y is defined 



H 00 [fi}(X\Y)=log- 



V[n](X\Y) 
where 

V[fi](X) = max xeX fi(X = x) 
V[n](X\Y = y) = max l6Xfi (X = x\Y = y) 

V[n]{X\Y) = E y eY^(Y = VWWX\Y = y) 

Intuitively, V[/i](X) represents the highest probability that an attacker 
guesses X in a single try. We now define the min-entropy-based definition of 
quantitative information flow. 

Definition 6 (Min-Entropy-based QIF). Let M be a program with a high 
security input H , a low security input L, and a low security output O. Let \i be a 
distribution over H andL. Then, the min-entropy-based quantitative information 
flow is defined 

ME\p](M)=H O0 \ji](H\L)-H O0 \j*](H\0,L) 

Whereas Smith [28] focused on programs lacking low security inputs, we 
extend the definition to programs with low security inputs in the definition 
above. It is easy to see that our definition coincides with Smith's for programs 
without low security inputs. Also, the extension is arguably natural in the sense 
that we simply take the conditional entropy with respect to the distribution over 
the low security inputs. 

Computing the min-entropy based quantitative information flow for our run- 
ning example programs Mi and M 2 from Section 1 with the uniform distribution, 
we obtain, 

ME[tf](Mi) = Hao[U](H) - Hoo[U](H\0) = log 4 - log 2 = 1 
ME[U](M 2 ) - Hoo[U]{H) - Hoc[U](H\0) = log 4 - log 1 = 2 

Hence, if a user is to check whether ME[U] is bounded by q for 1 < q < 2, then 
the answer would be yes for Mi, but no for M 2 . 

Next, we introduce the guessing- entropy based definition of quantitative in- 
formation flow [21, 17, 1]. 

Definition 7 (Guessing Entropy). Let X and Y be random variables, and 
fi be an associated probability distribution. Then, the guessing entropy of X is 
defined 

9\»](X)= ]T ix f i(X = x l ) 

l<i<m 

where m — |X| and x\, x 2 , . . . , x m satisfies < j => fJb{X = x{) > fi{X = 

The conditional guessing entropy of X given Y is defined 

g[ fJ ](X\Y) = '£riY = y)GM(X\Y = y) 

v eY 



where 



GWX\Y = y) = Ei<i< m ^y■v{X = x t \Y = y) 
m = |X| and Vz, j.z < j => ^(X = Xi\Y = y) > fi(X = Xj\Y = y) 

Intuitively, represents the average number of times required for the 

attacker to guess the value of X. We now define the guessing-entropy-based 
quantitative information flow. 

Definition 8 (Guessing-Entropy-based QIF). Let M be a program with a 
high security input H , a low security input L, and a low security output O. Let 
H be a distribution over H and L. Then, the guessing-entropy-based quantitative 
information flow is defined 

GE[fj](M) = Q[fj](H\L) - g\pL](H\0,L) 

Like with the min-entropy-based definition, the previous research on 
guessing-entropy-based quantitative information flow only considered programs 
without low security inputs [17, 1]. But, it is easy to sec that our definition with 
low security inputs coincides with the previous definitions for programs with- 
out low security inputs. Also, as with the extension for the min-entropy-based 
definition, it simply takes the conditional entropy over the low security inputs. 

We test GE on the running example from Section 1 by calculating the quan- 
tities for the programs Mi and M 2 with the uniform distribution. 

GEpKA'h) = G[U]{H) - G[U]{H\0) = 1-1 = 0.75 
GE[U](M 2 ) = 9[U](H) - 9[U](H\0) = §-1 = 1-5 

Hence, if a user is to check whether GE[U] is bounded by q for 0.75 < q < 1.5, 
then the answer would be yes for M\, but no for M 2 . 

Next, we introduce the belief-based definition of quantitative information 
flow [8] . The belief-based definition computes the information leak from a single 
execution of the program, called an experiment. 

Definition 9 (Experiment). Let fi be a distribution over a high-security input 
such thatVh./j.(h) > 0, ti£ be a high-security input, andl^ be a low-security input. 
Then, the experiment E is defined to be the tuple {/i,h£,££}. 10 

Intuitively, the distribution \i represents the attacker's belief about the user's high 
security input selection, £g denotes the attacker's low-security input selection, 
and fi£ denotes the user's actual selection. Then, the belief-based quantitative 
information flow, which is the information flow of individual experiments, is 
defined as follows. 

10 Clarkson et. al. [8] also include the output and the program itself as part of the 
experiment. In this paper, an experiment consists solely of the input and the distri- 
bution. 



Definition 10 (Belief-based QIF). Let M be a program with a high security 
input, a low security input, and a low security output. Let £ be an experiment 
such that £ = {n,h £ ,£ £ ). Then, the belief-based quantitative information flow is 
defined 

BE[£]{M) = D(p -> tie) - D(n\o £ ti £ ) 

where 

o £ =M(h e ,l £ ) 

h = Xh'.if h = h' then 1 else 

V-teioe) = J2he{h'\M(h< ,e £ )=o £ } MM 

n\o £ = A/i.if M(h,£ £ ) = o £ then jffip; else 

/*') = £,, kg 

Here, Z)(/x — > //) is the relative entropy (or, distance) of /x and /i', and quan- 
tifies the difference between the two distributions. 11 Note that h denotes the 
point mass distribution at h. Intuitively, the belief-based quantitative informa- 
tion flow expresses the difference between the attacker's belief about the high 
security input and the output of the experiment. It can be shown that BE[£](M) 
is equivalent to self-information (for M deterministic), that is, the negative log- 
arithm of the probability the event occurs (i.e., in this case, the output occurs). 

Lemma 1. Let \i be a belief, h £ be a high-security input, i £ be a low-security 
input. Then, BE[(iJ,,h £ ,£ £ )}(M) = -log£he{h>\M(h>,£ £ )=M(h £ ,e £ )}V(h). 

Computing the belief-based quantitative information flow for our running 
example programs Mi and M 2 from Section 1 with the uniform distribution, we 
obtain, 

-he {00,10,11} 

BE[(U,h)](Mi) = -logf7(Mi(/i)) = -log| » .41503 

- h = 01 

BE[(U, /»)](Mi) = - log U(M 1 (h)) = - log 1 = 2 
And, for any h e {00, 01, 10, 11}, 

BE[(U,h)](M 2 ) = -\ogU(M 2 (h)) = -logi =2 

Therefore, if the user was to ask if BE[(U, h)] is bounded by 1.0 for h — 00, then 
the answer would be yes for Mi but no for M 2 . But, if the user was to ask if 
BE[(U, h)] is bounded by 1.0 for all h, then the answer would be no for both Mi 
and M 2 . 

Finally, we introduce the definition of quantitative information flow based 
on channel capacity [22,20,26], which is defined to be the maximum of the 
Shannon-entropy based quantitative information flow over the distribution. 

11 Here, we follow [8] and use the notation D(/i — y fx') over the more standard notation 
D(H'\\H). 



Definition 11 (Channel-Capacity-based QIF). Let M be a program with 
a high security input H, a low security input L, and a low security output O. 
Then, the channel-capacity-based quantitative information flow is defined 

CC{M) = m&xl[n}(0;H\L) 

Unlike the other definitions above, the channel-capacity based definition of 
quantitative information flow is not parameterized by the distribution over the 
inputs. As with the other definitions, let us test the definition on the running 
example from Section 1 by calculating the quantities for the programs M\ and 
M 2 : 

CC(Mi) = max M I[At](0;/f) = 1 
CC(M 2 ) = max M I[At](0;if) = 2 

Note that CC(Mi) (resp. CC{M 2 )) is equal to MEp^M^ (resp. ME[U]{M 2 )). 
This is not a coincidence. In fact, it is known that CC(M) = ME[U](M) for all 
programs M without low security inputs [28]. 

2.1 Non-interference 

We recall the notion of non-interference [10, 13]. 

Definition 12 (Non-intereference). A program M is said to be non-inter ferent 
iff for any h,h' G H and t G L 7 M(h,£) = M(h',£). 

It can be shown that for the definitions of quantitative information flow X 
introduced above, X(M) < iff M is non-intcrfcrent. 12 That is, the bounding 
problem (which we only officially define for positive bounds -see Section 2.2-) 
degenerates to checking non-interference when is given as the bound. 

Theorem 1. Let \i be a distribution such that Mh G M,£ G h.fi(h,£) > 0. Then, 

— M is non-interferent if and only if SE[/j](M) < 0. 

— M is non-interferent if and only if ME[n](M) < 0. 

— M is non-interferent if and only if GE[/j](M) < 0. 

— M is non-interferent if and only if BE[(fj,',h,£)](M) < 0. 13 

— M is non-interferent if and only if CC(M) < 0. 

The equivalence result on the Shannon-entropy-based definition is proven by 
Clark et al. [6] . The proofs for the other four definitions are given in Appendix A. 



Technically, we need the non-zero-ness condition on the distribution. (See below.) 
Recall Definition 10 that u' is a distribution over H such that fi'(h) > for all /i£H. 



2.2 Bounding Problem 



We define the bounding problem of quantitative information flow for each defi- 
nition introduced above. The bounding problem for the Shannon-entropy based 
definition Bse[iA 1S defined as follows: Given a program M and a positive real 
number q, decide if SE[/j](M) < q. m Similarly, we define the bounding problems 
for the other three definitions £?me[mL Bqe\p\, and Bqc as follows. 

B ME \p\ = {(M,q) | ME[fi](M) < q} 
B GE \pL]={{M,q) | GE[fj](M) < q} 
B cc = {(M,q) | CC(M) <q} 

We defer the definitions of the belief-based bounding problems to Section 3.2. 
3 K-Safety Property 

We show that none of the bounding problems are fc-safety problems for any k. 
Informally a program property is said to be a k-safety property [29, 9] if it can be 
refuted by observing k number of (finite) execution traces. A fc-safety problem 
is the problem of checking a fc-safety property. Note that the standard safety 
property is a 1-safety property. An important property of a fc-safety problem is 
that it can be reduced to a standard safety (i.e., 1-safety) problem, such as the 
unreachability problem, via a simple program transformation called self compo- 
sition [3, 11]. This allows one to verify fc-safety problems by applying powerful 
automated safety verification techniques [2, 14, 24, 4] that have made remarkable 
progress recently. 

As stated earlier, we prove that no bounding problem is a fc-safety property 
for any fc. (First, we prove the result for SE, ME, GE, and CC, and defer the 
result for BE to Section 3.2.) To put the result in perspective, we compare it 
to the results of the related problems, summarized below. Here, X is SE[U], 
ME[U], GE[U], or CC, and y is SE, ME, or GE. (Recall that U denotes the 
uniform distribution.) 

(1) Checking non-interference is a 2-safety problem, but it is not 1-safety. 

(2) Checking X{M{) < X(M 2 ) is not a fc-safety problem for any fc. 

(3) Checking VpJM(Mi) < y[(j](M 2 ) is a 2-safety problem. 

The result (1) on non-interference is classic (see, e.g., [23,3,11]). The results 
(2) and (3) on comparison problems are proven in our recent paper [32]. There- 
fore, this section's results imply that the bounding problems are harder to ver- 
ify (at least, via the self-composition approach) than non-interference and the 
quantitative information flow comparison problems with universally quantified 
distributions. 

Let Prog be the set of all programs, and M + be the set of positive real 
numbers. Let [[M]] denote the semantics (i.e., traces) of M, represented by the 



Note that we treat /i as a parameter of the bounding problem rather than as an 
input. 



set of input /output pairs, that is, [[MJ = {((h, £), o) \ h e H, I e L, o = M(/i, £)}. 
Then, formally, fc-safety property is defined as follows. 

Definition 13 (fc-safety property). We say that a property P C Prog x R + 
is a k-safety property iff (M, q) ^ P implies that there exists T C [[M]] smc/i i/iatf 
|T| < k and VM'.T C [[M']] => (M', g) £ P. 

Note that the original definition of fc-safety property is only defined over pro- 
grams [29, 9]. However, because the bounding problems take the additional input 
q, we extend the notion to account for the extra parameter. 

We now state the main results of this section which show that none of the 
bounding problems are fc-safety problems for any k. Because we are interested in 
hardness, we focus on the case where the distribution is the uniform distribution. 
That is, the results we prove for the specific case applies to the general case. 

Theorem 2. Neither E>se\U], Bme[U], Boe[U], nor Bqc is a k-safety property 
for any k such that k > 0. 

The result follows from the fact that for each of bounding problem Bx above, for 
any fc, there exists q such that deciding (M, q) G B x is not a fc-safety property. 
In fact, as we show next, for some of the problems such as B$e [U], even if we fix 
q to an arbitrary constant, there exists no k such that the problem is fc-safety. 
(But for other problems, for certain cases, we can find fc that depends on q.) We 
defer the details to the next section. (See also Section 5.2.) 

3.1 K-Safety Under a Constant Bound 

The result above appears to suggest that the bounding problems are equally 
difficult for SE[U], ME[U], GE[U], and CC. However, holding the parameter q 
constant (rather than having it as an input) paints a different picture. We show 
that the problems become fc-safety for different definitions for different fc's under 
different conditions in this case. 

First, for q fixed, we show that the bounding problem for the channel-capacity 
based definition of quantitative information flow is fc-safety for fc = [2 q \ + 1. 
(Also, this bound is tight.) 

Theorem 3. Let q be a constant. Then, Bcc is [2 q \ + 1-safety, but it is not 
k-safety for any k < [2 q \ . 

We briefly explain the intuition behind the above result. Recall that a prob- 
lem being fc-safety means the existence of a counterexample trace set of size at 
most fc. That is, for (M,q) (£ B CC , we have T C [[M]] such that \T\ < [2«J + 1 
such that any program that also contains T as its traces also does not belong to 
Bcc (with q), that is, its channel-capacity-based quantitative information flow 
is greater than q. Then, the above result follows from the fact that the channel- 
capacity-based quantitative information flow coincides with the maximum over 
the low security inputs of the logarithm of the number of outputs [20], therefore, 
any T containing [2 q \ + 1 traces of the same low security input and disjoint 
outputs is a counterexample. 



For concreteness, we show how to check Bcc via self composition. Suppose 
we are given a program M and a positive real q. We construct the self-composed 
program M' shown below. 



M'(H u H 2 ,...,H n ,L) = 

Oi :=M(H u L);0 2 := M(H 2 ,L); . . .;O n :=M(H n ,L); 
assert(V iJe{ i,... in} (Oi = Oj A i =/= j)) 

where n = [2 q \ + 1. In general, a self composition involves making fc copies the 
original program so that the resulting program would generate k traces of the 
original (having the desired property). By the result proven by Malacaria and 
Chen [20] (see also Lemma 7), it follows that M' does not cause an assertion 
failure iff {M,q) £ B C c- 

Next, we show that for programs without low security inputs, Bme[U] and 
Bqe\U] are also both fc-safety problems (but for different fc's) when q is held 
constant. 

Theorem 4. Let q be a constant, and suppose Bme[U] only takes programs 
without low security inputs. Then, Bme[U] is [2 q \ + 1-safety, but it is not k- 
safety for any k < [2 q \ . 

Theorem 5. Let q be a constant, and suppose Bqe[U] only takes programs 
without low security inputs. If q > i, then, Bqe\U\ is Lj^]+r~^J + ^-safety, 

but it is not k-safety for any k < Lj^j+jr^J • Otherwise, q < \ and Bqe\U] is 
2- safety, but it is not 1-safety. 

The result for ME[U] follows from the fact that for programs without low 
security inputs, the min-entropy based quantitative information flow with the 
uniform distribution is actually equivalent to the channel-capacity based quanti- 
tative information flow [28]. The result for GE[U] may appear less intuitive, but, 
the key observation is that, like the channel-capacity based definition and the 
min-entropy based definition with the uniform distribution (for the case without 
low security inputs), for any set of traces T = [[MJ, the information flow of a 
program containing T would be at least as large as that of M. Therefore, by hold- 
ing q constant, we can always find a large enough counterexample T. The reason 
Bge[U] is 2-safety for q < \ is because, in the absence of low security inputs, 
the minimum non-zero quantity of GE[U](M) is bounded (by 1/2), and so for 
such q, the problem GE[U](M) < q is equivalent to checking non-interference. 15 

But, when low security inputs are allowed, neither Bme[U] nor Bge[U] are 
fc-safety for any fc, even when q is held constant. 

Theorem 6. Let q be a constant. (And let Bme[U] take programs with low 
security inputs.) Then, Bme[U] is not a k-safety property for any k > 0. 

15 In fact, the minimum non-zero quantity property also exists for ME[\J] without low 
security inputs and CC. There, the minimum non-zero quantity is 1, which agrees 
with the formulas given in the theorems. 



Theorem 7. Let q be a constant. (And let Bge[U] take programs with low se- 
curity inputs.) Then, Bge[U] is not a k-safety property for any k > 0. 

Finally, we show that the Shannon-entropy based definition (with the uniform 
distribution) is the hardest of all the definitions and show that its bounding 
problem is not a fc-safety property for any k, with or without low-security inputs, 
even when q is held constant. 

Theorem 8. Let q be a constant, and suppose Bse [U] only takes programs with- 
out low security inputs. Then, Bse[U] is not a k-safety property for any k > 0. 

Intuitively, Theorems 6, 7, and 8 follow from the fact that, for these defini- 
tions, given any potential counterexample T C [[M]] to show (M,q) Bx, it is 
possible to find M' containing T whose information flow is arbitrarily close to 
(and so (M',q) e Bx). See Section 5.2 for further discussion. 

Because k tends to grow large as q grows for all the definitions and it is 
impossible to bound k for all q, this section's results are unlikely to lead to a 
practical verification of quantitative information flow. 16 Nevertheless, the results 
reveal interesting disparities among the different proposals for the definition of 
quantitative information flow. 

3.2 K-Safety for Belief-based Definition 

This section investigates the hardness of the bounding problems for the belief- 
based definition of quantitative information flow. We define two types of bound- 
ing problems. 

B BE1 [{fi,h,i)] = {(M,q) | BE[(v,hJ)](M)<q} 

BbeM = {(M,q) | \/h,l.BE[(n,h,e)}(M) < q} 

Bbei checks the program's information flow against the given quantity for a 
specific input pair h,£ whereas Bbe2 checks that for all inputs. 

We show that these problems are not a fc-safety problems for any k, at least 
when q is not a constant. To put the result in perspective, we compare to the 
results of the comparison problem for the belief-based quantitative information 
flow problem [33]. 

(1) Checking BE[(U, M)](Mi) < BE[(U,h,£)](M 2 ) is not a fc-safcty problem 
for any k. 

(2) Checking Vh,LBE[(U,h,£)\ (Mi) < BE[(U,h,£)](M 2 ) is not a fc-safcty prob- 
lem for any k. 

(3) Checking Vn,h,£.BE[(n,h,£)}{M{) < BE[(n,h,£)]{M 2 ) is a 2-safety prob- 
lem. 

Note that the problem in (3) compares the two programs for all experiments 
(/j,,h,£). This problem also turns out to be equivalent to the comparison prob- 
lems with universally quantified distributions for SE, ME, and GE discussed 



But, a recent work [16] shows some promising results. 



in Section 3. Hence, this section's non-fc-safety results show that the bounding 
problems Bbei and Bbe2 are harder to verify (at least, via the self-composition 
approach) than non-interference and the comparison problems with universally 
quantified distributions and experiments. 

First, we show that Bbei [{U, h, £)} is not a fc-safety property for any k, even 
when q is held constant, and even without low security inputs. 

Theorem 9. Let q be a constant, and suppose B B ei [(U, h}} only takes programs 
without low security inputs. Then, Bbei [(U, h)] is not a k-safety property for any 
k > 0. 

Next, we show that Bbe2[U] is also not a fc-safety property for any k when q 
is a constant and q > 1, even without low security inputs. But, when q is held 
constant and q < 1, Bbe2[U] is a 2-safety property. 

Theorem 10. Let q be a constant. If q > 1, then Bbe2[U] is not a k-safety 
property for any k > even when Bbe2[U] only takes programs without low 
security inputs. Otherwise, q < 1 and Bbe2[U] is a 2-safety property, but it is 
not a 1-safety property. 

The 2-safety property for the case q < 1 follows because B B E2[U] turns out to 
be equivalent to non-interference for such q. The results show that the bounding 
problems for the belief-based definition is also quite hard, except for the case 
where one checks if the information flow is less than 1 for all inputs, which 
degenerates to checking non-interference. 

3.3 K-Safety for Channel Capacity Like Definitions 

In this section, we study the hardness of the bounding problems that check the 
bound for all distributions. We define the following problems. 

Bsecc = {(M, q) | Vh.SE\m]{M) < q} 
Bmecc = {(M, q) | Vfi.ME[n}(M) < q} 
Bgecc = {{M,q) I Vm.G£MM) < q} 
BbeiccIKI] = {(M,q) I Vn.BE[(jji,h,e)](M) < q} 
B B E2CC = {(M,q) I \/^.\/h,LBE[{n,h,e)](M) < q} 

Note that Bsecc — Bcc because CC(M) = max M SE[fi](M). For this reason, 
we call these bounding problems "channel capacity like." For instance, Kopf and 
Smith [18] call max (I MB[/j](M) the min-entropy channel capacity. (Note that 
(M,q) £ Bmecc iff max M ME[^i](M) < q.) Bgecc follows the same spirit. We 
define two types of channel-capacity like problems for the belief-based definition 
corresponding to the two types of bounding problems Bbei and Bbe2- 

We prove fc-safety results for each of these problems. The result below for 
Bsecc follows directly from that of Bcc (i-e., Theorem 3). But, the other results 
proved are new. 

Theorem 11. Let q be a constant. Then, Bsecc is \ ^ q \ + l-safety, but it is not 
k-safety for any k < [2 q \ . 



First, we show that Bmecc enjoys the same property as Bsecc- That is, 
when q is held constant, it is [2 q \ + 1-safcty, but it is not fc-safety for any k < 
[2 q \. Note that unlike Bme[U], this holds even for programs with low security 
inputs. We show this by proving the following lemma stating that max M ME[^i] 
is actually equivalent to CC{M). 

Lemma 2. max,, ME\p](M) = CC{M) 

The lemma extends the result by Braun et al. [5] that shows the equivalence for 
the low-security-input-free case. By the lemma, the fc-safety result for Bmecc 
follows directly from that of Bqc- 

Theorem 12. Let q be a constant. Then, Bmecc is \^ q \ + 1-safety, but it is 
not k-safety for any k < [2 q \ . 

Next, we prove that, when q is held constant, Bqecc is fc-safety for fc = 
L [gj+i-q J + 1 wncn q > \ and is 2-safety for q < |. Recall that these fc- 
safety bounds are equivalent to those of Bge[U] without low security inputs 
(cf. Theorem 5). However, unlike Bqe[U], the fc-safety result here holds even for 
programs with low security inputs. 

Theorem 13. Let q be a constant. If q > \, then, Bqecc is L [gj+i- g J + 1_ 

safety, but it is not k-safety for any k < L LgJ +i— g -I • Otherwise, q < | and 
Bcecc is 2-safety, but it is not 1-safety. 

The above is shown by proving the following lemma which states that 
the "guessing entropy channel capacity" max^ GE[^i] is actually equivalent to 
max< GE[U ® £]. (See below for the definition ofU<8>£.) 

Lemma 3. We have max M GE[fi](M) = max f GE[U ® £'](M) where U ® £' 
denotes Xh, £.\f £ = £' then U(h) else 0. 

Finally, we prove somewhat surprising results for BBEicc[h,£] and Bbezcg 
stating that they are in fact equivalent to non-interference, independent of q. It 
follows that these problems are 2-safety but not 1-safety. 

Theorem 14. (M,q) e BBEicc[h,£] iff M{£) is non-interferent. 

Here, M(£) = Xh.M(h,£). That is, the theorem states that, for any q, (M,q) e 
BsEicc[h, £} iff the program M restricted to the low security input £ is non- 
interferent. (Note that checking non-interference at a fixed low security input is 
also a 2-safety property and is not a 1-safety property.) 

An analogous result holds for Bbe2CC- 
Theorem 15. (M,q) G Bbe2CC iff M is non-interferent. 

Clarkson et al. [9] also studies Bbe2CC, which they call QL in their paper. 17 
They state that the problem is a hypersafety property, which is a superset of 
fc-safety properties. 18 

17 Technically, they allow an experiment to consist of a sequence of runs of the program 
whereas we restrict an experiment to a single run. 

18 Informally, a property is a hypersafety if there exists a counterexample set of traces 
of any size. 



M ::= x:=i>\ M ; M x 

if ip then M else Mi 
0, ::= true | x \ (j) A ip \ -«fi 

Fig. 1. The syntax of loop-free boolean programs 

4 Complexities for Loop-free Boolean Programs 

In this section, we analyze the computational complexity of the bounding prob- 
lems when the programs are restricted to loop-free boolean programs. We com- 
pare the complexity theoretic hardness of the bounding problems with those of 
the related problems for the same class of programs, as we have done with the 
fe-safety property of the problems. 

That is, we compare against the comparison problems of quantitative infor- 
mation flow and the problem of checking non-interference for loop-free boolean 
programs. The complexity results for these problems are summarized below. 
Here, X is SE[U], ME[U], GE[U], or CC, and y is SE, ME, or GE. 

(1) Checking non-interference is coNP-complctc 

(2) Checking X{M 1 ) < X{M 2 ) is PP-hard. 

(3) Checking V^.J-VK M i) < 3>[At](M 2 ) is coNP-complete. 

The results (1) and (3) are proven in our recent paper [32]. The result (2) is 
proven in the extended version of the paper [33] and tightens our (oracle relative) 
#P-hardness result from the conference version [32] , which states that for each 
C such that C is the comparison problem for SE[U], ME[U], GE[U], or CC, we 
have #P C FP C . (Recall that the notation FP A means the complexity class of 
function problems solvable in polynomial time with an oracle for the problem 
A.) #P is the class of counting problems associated with NP. PP is the class 
of decision problems solvable in probabilistic polynomial time. PP is known to 
contain both coNP and NP, PH C P pp = P #p [30], and PP is believed to be 
strictly larger than both coNP and NP. (In particular, PP = coNP would imply 
the collapse of the polynomial hierarchy (PH) to level 1.) 

We show that, restricted to loop-free boolean programs, the bounding prob- 
lems for the Shannon-entropy-based, the min-entropy-based, and the guessing- 
cntropy-based definition of quantitative information flow with the uniform dis- 
tribution (i.e., SE[U], ME[U], and GE[U}) and the channel-capacity based def- 
inition (i.e., CC) are all PP-hard. (The results for the belief-based definition 
and the channel-capacity-likc definitions appear in Section 4.1.) The results 
strengthen the hypothesis that the bounding problems for these definitions are 
quite hard. Indeed, they show that they are complexity theoretically harder 
than non-interference and the comparison problems with the universally quan- 
tified distributions for loop-free boolean programs, assuming that coNP and PP 
are separate. 



wp{x := ip, <ft) — (f>[ip/x] 
wp(\f i> then M else M±, (f>) 

= (ip wp(M , <j>)) A (-i^ => wp{Mi,4>)) 
wp(M ; Mi,<j>) = wp(M , wp{M 1 ,(j})) 

Fig. 2. The weakest precondition for loop-free boolean programs 

We define the syntax of loop-free boolean programs in Figure 1. We assume 
the usual derived formulas <p =>■ ip, <p — 4>, 4> V ip, and false. We give the usual 
weakest precondition semantics in Figure 2. 

To adapt the information flow framework to boolean programs, we make each 
information flow variable H, L, and O range over functions mapping boolean 
variables of its kind to boolean values. For example, if x and y are low security 
boolean variables and z is a high security boolean variable, then L ranges over the 
functions {x,y} — > {false, true}, and H and O range over {z} — > {false, true}. 19 
(Every boolean variable is either a low security boolean variable or a high security 
boolean variable.) We write M(h,£) = o for an input (h,£) and an output o if 
(h, 1) |= wp(M, (f) for a boolean formula <j) sucn that o |= 4> an d o' ty= for all 
output d 7^ o. Here, |= is the usual logical satisfaction relation, using h,£ 7 o, 
etc. to look up the values of the boolean variables. (Note that this incurs two 
levels of lookup.) 

As an example, consider the following program. 

M = z := x;w := y; if x A y then z :— ~^z else w := ->w 

Let x, y be high security variables and z,w be low security variables. Then, 

SE[U](M) = 1.5 GE[U](M) = 1.25 

ME[U](M) = log 3 w 1.5849625 C'C(M) = log 3 w 1.5849625 

We now state the main results of the section, which show that the bounding 
problems for SE[U], ME[U], GE[U], and CC arc PP-hard. 

Theorem 16. PP C B SE [U] 

Theorem 17. PP^B M e[U] 

Theorem 18. PPCB GE [U] 

Theorem 19. PPQB C c 

We remind that the above results hold (even) when the bounding problems 
Bse[U], Bme[U], Bge[U], and Bqc are restricted to loop- free boolean pro- 
grams. We also note that the results hold even when the programs are restricted 

19 We do not distinguish input boolean variables from output boolean variables. But, 
a boolean variable can be made output-only by assigning a constant to the variable 
at the start of the program and made input-only by assigning a constant at the end. 



to those without low security inputs. These results are proven by a reduction 

from MAJSAT, which is a PP-complete problem. MAJSAT is the problem of 

deciding, given a boolean formula <f> over variables x , if there are more than 
2 |^|- 

1 satisfying assignments to (f> (i.e., whether the majority of the assignments 
to <fi are satisfying). 

4.1 Complexities for Belief and Channel Capacity Like Definitions 

This section investigates the complexity theoretic hardness of the bounding prob- 
lems for the belief-based definition and the channel-capacity-like definition of 
quantitative information flow introduced in Section 3.2 and Section 3.3. As in 
Section 4, we focus on loop-free boolean programs. 

Below shows the complexity results for the belief-based comparison problems 
for loop- free boolean programs [33]. 

(1) Checking BE[{U,h,e)](M!) < BE[{U,h,e)](M 2 ) is PP-hard. 

(2) Checking \/h,LBE[{U, h,£)} (Mi) < BE[(U,hJ)]{M 2 ) is PP-hard. 

(3) Checking V^,M.££[(m,M}](Mi) < BE[(fj,,h,£)](M 2 ) is coNP-complete. 

First, we prove that the two types of bounding problems for the belief-based 
definition, Bbei and Bbe2, are both PP-hard. 

Theorem 20. PP C B BE1 [(U, h, £)] 
Theorem 21. PPCB BE2 [U] 

As in Section 4, the above theorems are proven by a reduction from MAJSAT. 
They show that the bounding problems for BE[U] are complexity theoretically 
difficult. 

Next, we prove the hardness results for the channel-capacity like definitions 
of quantitative information flow. Theorems 22 and 23 for B$ecc and Bmecc 
follow from the equivalence max^ SE\p\{M) = max M ME[fi](M) = CC(M) (cf. 
Section 3.3) and Theorem 19. Theorem 24 for Bqecc follows from Theorem 18 
and the equivalence max M GE[n](M) — max/ GE[U (g> i](M) (cf. Lemma 3). 

Theorem 22. PP C B S ecc 

Theorem 23. PP C B M ecc 

Theorem 24. PP C Bqecc 

Finally, the following coNP-completeness results for BBEicc[h,£] and 
Bbezcc follow from their equivalent to non-interference and the fact that check- 
ing non-interference is coNP-complete for loop-free boolean programs (cf. Sec- 
tion 4). 

Theorem 25. BBEicc[h,l] is coNP-complete. 



Theorem 26. B B E2CC * s coNP-complete. 



5 Discussion 



5.1 Bounding the Domains 

The notion of fc-safety property, like the notion of safety property from where 
it extends, is defined over all programs regardless of their size. (For example, 
non-interference is a 2-safety property for all programs and unreachability is a 
safety property for all programs.) But, it is easy to show that the bounding 
problems would become "fc-safety" properties if we constrained and bounded 
the input domains because then the size of the semantics (i.e., the input/output 
pairs) of such programs would be bounded by |H|x|L|. In this case, the problems 
are at most H x |L| -safety. (And the complexity theoretic hardness degenerates 
to a constant.) But, like the fc-safety bounds obtained by fixing q constant (cf. 
Section 3.1), these bounds are high for all but very small domains and are unlikely 
to lead to a practical verification method. Also, because a bound on the high 
security input domain puts a bound on the maximum information flow, the 
bounding problems become a tautology for q > c, where c is the maximum 
information flow for the respective definition. 

5.2 Low Security Inputs 

Recall the results from Section 3.1 that, under a constant bound, the bounding 
problems for both the min-entropy based definition and the guessing-entropy 
based definition with the uniform distribution are fc-safety for programs without 
low security inputs, but not for those with. The reason for the non-fc-safety re- 
sults is that the definitions of quantitative information flow ME and GE (and in 
fact, also SE) use the conditional entropy over the low security input distribution 
and are parameterized by the distribution. This means that the quantitative in- 
formation flow of a program is averaged over the low security inputs according to 
the distribution. Therefore, by arbitrarily increasing the number of low security 
inputs, given any set of traces T, it becomes possible to find a program contain- 
ing T whose information flow is arbitrarily close to (at least under the uniform 
distribution). This appears to be a property intrinsic to any definition of quan- 
titative information flow defined via conditional entropy over the low security 
inputs and is parameterized by the distribution of low security inputs. Note that 
the channel-capacity-likc definitions do not share this property as it is defined 
to be the maximum over the distributions. The non-fc-safety result for Bse[U] 
holds even in the absence of low security inputs because the Shannon entropy 
of a program is the average of the surprisal [8] of the individual observations, 
and so by increasing the number of high security inputs, given any set of traces 
T, it becomes possible to find a program containing T whose information flow 
is arbitrarily close to 0. The non-fc-safety results for B BE1 [(U, h)] and B BE2 [U) 
hold for similar reasons. 20 

20 They are, respectively, the surprisal of a particular input, and the maximum surprisal 
over all the inputs. 



6 Related Work 



This work continues our recent research [32] on investigating the hardness and 
possibilities of verifying quantitative information flow according to the formal 
definitions proposed in literature [8,12,7,19,28,17,1,22,20,26,5,18]. Much of 
the previous research has focused on information theoretic properties of the def- 
initions and proposed approximate (i.e., incomplete and/or unsound) methods 
for checking and inferring quantitative information flow according to such def- 
initions. In contrast, this paper (along with our recent paper [32]) investigates 
the hardness and possibilities of precisely checking and inferring quantitative 
information flow according to the definitions. 

This paper has shown that the bounding problem, that is, the problem of 
checking X(M) < q given a program M and a positive real q, is quite hard 
(for various quantitative information flow definitions X). This is in contrast to 
our previous paper that has investigated the hardness and possibilities of the 
comparison problem, that is, the problem of checking X{M\) < X{M 2 ) given 
programs Mi and Mi. To the best of our knowledge, this paper is the first to 
investigate the hardness of the bounding problems. But, the hardness of quan- 
titative information flow inference, a harder problem, follows from the results of 
our previous paper, and Backes et al. [1] and also Heusser and Malacaria [15] have 
proposed a precise inference method that utilizes self composition and counting 
algorithms. Also, independently from our work, Heusser and Malacaria [16] have 
recently applied the self-composition method outlined in Section 3.1 for checking 
the channel-capacity-based quantitative information flow. 

7 Conclusion 

In this paper, we have formalized and proved the hardness of the bounding prob- 
lem of quantitative information flow, which is a form of (precise) checking prob- 
lem of quantitative information flow. We have shown that no bounding problem 
is a fc-safety property for any k, and therefore that it is not possible to reduce 
the problem to a safety problem via self composition, at least when the quantity 
to check against is unrestricted. The result is in contrast to non-interference and 
the quantitative information flow comparison problem with universally quan- 
tified distribution, which are 2-safety properties. We have also shown a com- 
plexity theoretic gap with these problems, which are coNP-complcte, by proving 
the PP-hardness of the bounding problems, when restricted to loop-free boolean 
programs. 

We have also shown that the bounding problems for some quantitative infor- 
mation flow definitions become fc-safety for different fc's under certain conditions 
when the quantity to check against is restricted to be a constant, highlighting 
interesting disparities among the different definitions of quantitative information 
flow. 

It is interesting to note that, as with the comparison problems, the bounding 
problems become comparatively easier when the input distribution becomes uni- 
versally quantified. That is, as our previous work [32] has shown that checking if 



V/i.y[/i](Mi) < y[/j](M 2 ) is often easier than checking if y[U]{M x ) < y[U](M 2 ) 
(for various quantitative information flow definitions y) , we have shown that the 
problem of checking V/x.J ; [/x](M) < q is often easier than the problem of checking 
y[U](M)<q. 
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A Proofs 

We define some abbreviations. 
Definition 14. /j,(x) = fj,(X = x) 

We use the above notation whenever the correspondences between random vari- 
ables and their values are clear. 

We define some useful abbreviations for programs having low security inputs. 

Definition 15. M[M,£] = {o\3he H.o = M(h,£)} 

Definition 16. M{£) = Xh.M(h,£) 

Note that M(£) is the program M restricted to the low security input £, and 
that M[lhV] is the set of outputs of M(£). 

Wc elide the parameter q from the input to the bounding problems when it 
is clear from the context (e.g., when q is held constant). For example, wc write 
B SE [U](M) and M 6 B SE [U] instead oi B SE [U}(M,q) or (M, q) e B SE [U}. 

We note the following properties of deterministic programs [6]. 

Lemma 4. Let M be a program without low-security inputs, M' be a program 
with low-security inputs. Then, we have SE\p](M) =X[fj](0;H) = rl[/j](0) and 
SE[ri(M / )=l[ f i}(0;H\L)=HM(0\L) 

Definition 17. 

In(ji,X,x) = \{x' E X | n{x') > n{x)}\ 
Intuitively, Jn(/U, X, x) is the order of x defined in terms of ^t. 



Lemma 5. 

G[l4( x ) = s i<i<\x\if*(%i) = S x exIn(fj,,X,x)fj,(x) 

Proof. Trivial. 

Lemma 1. Let /j, be a belief, h £ be a high-security input, £ £ be a low- security 
input. Then, BE[{n,h £ ,£ £ )](M) = - log E h &{h>\M(h> M=M(h £ ,e £ )}K h )- 

Proof. By definition, we have 

BE[(fjL,h £ ,i e )](M) 

= D(fi ->■ h £ ) - D{p,\o e -> h £ ) 

= J2h hs{h) log - Y,h hs{h) log Jggj 
= log -i + log ^ m 

P\ n e) 2-^he{h'\M(h' ,t e )=M(h e ,e e )} ^y n > 

= - ^°&J2he{h'\M(h',e £ )=M(h e ,e £ )} 
Theorem 1. Le£ y be a distribution such that V/i€i,l £ h./j,(h,£) > 0. Tften, 

— M is non-interferent if and only if SE\p](M) < 0. 

— M is non-interferent if and only if ME[/j](M) < 0. 

— M is non-interferent if and only if GE[y](M) < 0. 

— M is non-interferent if and only if BE[(fi' ,h,£)](M) < 0. 21 

— M is non-interferent if and only if C'C(M) < 0. 

Proof. Let O = {M(M) | fceHA/e L}. 

— S£ 

(See [6].) 

— MS 

• => 

Suppose M is non-interferent. By the definition, it suffices to show that 
V\A(H\L) = V\n](H\L,0) 

That is, 

max/i(/i|£) = o) max o) 

We have for any £ x and o x such that n(£ x ,o x ) > 0, fJ,(£ x ,o x ) — n(£ x ), 
and for all /i y , ^, and o y such that y(h y ,£ y ,o y ) > 0, for any /i^ and 
o' G 0\ {o y }, fj,(h' y ,£ y ,o' y ) — 0. Therefore, we have 

E*,o MA o) maxft o) = MA o) mnx h 



Recall Definition 10 that y! is a distribution over H such that /tt'(/i) > for all h € ! 



We prove the contraposition. Suppose M is interferent. That is, there 
exist hi, h 2 , and £' such that M{h 1} £' ) ^ M(h 2 ,t'). Let Oi = M{h Y ,£' ) 
and o 2 = M(h 2 ,t'). We have 

max /J,(h\£) = A + max ^i(h, (!) 



h 

where A = J2£eh\{£'} max /i v(h,l). And, 

^(^, o) max /i(h\£, o) = B + max /j,(h, £', o) 

^ — ' h ^ — ' h 

e,o o 

where £? = E{<,o)e(L\{f})xO max '>J 11 (' l ^i )' Trivially, we have A < B 
and 

max/i(h,^') < max/i(fe, I', o) 

o 

Therefore, we have M£[jn](M) > 0. 

GE 

• => 

Suppose M is non- interferent. By the definition, 
GE[n](M) 

-EioEh in(xh'.n(h', e, o), h, h)n{h, e, o) 

= Eit h MW. f i(h',£),W, h)»(h,£) 

- He. E/i In(\ti.fj,(ti, £), H, h)n(h, I) 
= 

since for all h x , £ x , and o x such that fi(h x ,£ x ,o x ) > 0, for any ^4 and 
o'eO\{o x }, ^(h' x ,£ x ,o' x ) = 0. 

• <= 

We prove the contraposition. Suppose M is interferent. That is, there 
exist h u h 2 , and £' such that M{h u l') ^ M(h 2 ,£'). Let oi = M{hx,£') 
and 02 = M(h2,£')- By the definition, 

= E < E t MAA'#,Q,H,%(/ l ,<) 

" Eio E h In{\h>.n{h>, £, o), H, /^(h, £, o) 
= ^ + T, h In{\h'.^{h', £'), H, £') 

- E E h In{\h'.n{h', £', o), H, h)(j,(h, £', o) 



where 



^ = £/ 6L \ { *) Eh In(\h'.»(h>, £'), H, f ) 

5 = E({,„)g(L\{f })xo Ei, ^(Afe'./i(V, I' o), H, f ,o) 



Trivially, we have A> B and 

Y,h In(\h' ./j,(ti , l'),M, h)n(h, £') 

> Eo E h In(\h>.fx(h',£\ o), H, o) 

Therefore, we have GE[/j](M) > 0. 

- BE 

• => 

Suppose M is non-interferent. By Lemma 1, for any /j,, h, and £, 
BE[(n,h,£)](M) = -log S h 'e{h"\M(h" ,i)=M(h,e)}V(h') = 

• <= 

We prove the contraposition. Suppose M is interferent. That is, there 
exist hi, h 2 , and £' such that M(hi,£') ^ M(h 2 ,£'). Let ^' be a distri- 
bution such that for any h' , fj!{h') > 0. Then, by Lemma 1, we have for 
any h, 

BE[{ii',h,£')]{M) = -\og£ h , e{h „ lM{h „, n=M{h/ , )} n'(h r ) > 

- CC 

• => 

Suppose M is non-interferent. By Lemma 4, for any ^i, 
SE[ fJ ](M)=H[f4(0\L) 

= E E^M)iog^ 
= o 

since fi(o,£) = fj,(£). Therefore, we have Vn.SE\p](M) = 0. It follows 
that CC(M) = 0. 

• <= 

We prove the contraposition. Suppose M is interferent. That is, there 
exist hi, h 2 , and £' such that M(hi,£') ^ M(h 2 ,£'). Let o x = M(hi,£'), 
and 02 = M(h 2 ,£'). Then, there exist // such that 

SE[ M >](M)=H[»'](0\L) 

> »>{oi,£>) log jgfc + M '(o 2 , f ) log 1 ^l r) 

> 

And, we have SE[^']{M) < CC(M). 

We note the following equivalence of CC and MZ?[U] for programs without 
low security inputs [28]. 

Lemma 6. Let M be a program without low security input. Then, CC(M) = 
ME[U](M). 

Theorem 2. Neither Bse[U], Bme[U], Bce[U], nor Bqc is a k- safety property 
for any k such that k > 0. 



Proof. 



— E>se[U] is not a k-safety problem for any k such that k > 0. 
Trivial by Theorem 8. 

— Bme[U] is not a k-safety property for any k such that k > 0. 
Trivial by Theorem 4. 

— P>ge[U] is not a k-safety property for any k such that k > 0. 
Trivial by Theorem 5. 

— Bcc is not a k-safety property for any k such that k > 0. 

Trivial from Lemma 6 and the fact that Bme[U] is not a k-safety property 
for any k. 

Malacaria and Chen [20] have proved the following result relating the channel- 
capacity based quantitative information flow with the number of outputs. 

Lemma 7. Let M be a program (with low security input). Then, 

CC(M) = maxjgL log \M[M, i] \ 

Theorem 3. Let q be a constant. Then, Bcc * s |_2 9 J + ^safety, but it is not 
k-safety for any k < [2 q \ . 

Proof. We prove that Bcc is [2 q \ + 1-safety. Let M be a program such that 
M ^ Bcc- By Lemma 7, it must be the case that there exists I such that 
\M[W,£}\ > [2 q \ + 1. Then, there exists T C [M] such that \T\ < [2«J + 1, 
ran(T) > |2 9 J + 1, and for all ((h,£'),o) G T, t' = I. Then, by Lemma 7, it 
follows that for any program M' such that T C \M% M' £ B C c- Therefore, 
Bcc is a [2 q \ + 1-safety property. 

Finally, we prove that Bcc[U] is not fc-safety for any k < [2 q \ . Let k < [2 q \ . 
For a contradiction, suppose Bcc is a fc-safety property. Let M be a program 
such that M B CC - Then, there exists T such that \T\ < k and T C [M], and 
for any M' such that T C [[M']], (_M',q) ^ B cc . Let T = {(/i^oi),.. . , (/i 4 ,o 4 )}. 
Let M be a program such that [[M]] = T. More formally, let M be the following 
program. 

M(hi) = o u M{h 2 ) =o 2 ,..., M{hi) = o, 

Then, we have 

CC(M) =log\{ 0l , 02,..., Oi}\ <logk<q 

It follows that (M, q) e CC, but T C [[M]]. Therefore, this leads to a contradic- 
tion. 

Theorem 4. Le£ q be a constant, and suppose Bme[U] only takes programs 
without low security inputs. Then, Bme[U] is [2 q \ + 1-safety, but it is not k- 
safety for any k < [2 q \ . 

Proof. Straightforward by Theorem 3 and Lemma 6. 



Lemma 8. Let M be a program without low security inputs. Then, we have 
GE[U](M) = t£ — t^;EoI^°| 2 where n is the number of inputs, and H c = 
{h | o = M(h)}. 

Proof. By the definition, we have 

GE[U](M) = g[U](H) - Q[U]{H\0) 
= J2 h In(U,M, h)U(h) 

- Eo U(o) Eh In(Xh'.U(h'\o),m o , h)U{h\o) 
= Ii n(n + l)_ Eo l^i p ^| Ho |(|H | + l) 

= f-2kEo|Ho| 2 

Lemma 9. Let M and M' be low-security input free programs such that \M'\ = 
[M] U {(h,o)} and h dom([[M}}). Then, we have GE[U]{M) < GE[U}(M'). 

Proof. We prove GE[U](M') - GE[U](M) > 0. Let n = [[M]]|, O = ran([[M}}), 
H = dom(M), and H = {h G H | o = M(h)}. 
By Lemma 8, we have 

GE[U}{M') - GE[U}(M) 

-2^+ry((«-Po|) 2 + s)>0 

where B = E 'eo\{ } l M °'l 2 and H , = {h\o' = M(h)}. 

Lemma 10. Let q > \. Let M be a program without low security inputs such 
that GE[U](M) > q andVM'.lM'} C pf] => GE[U]{M') < q. Then, it must 

be the case that |[[Mjj| < L LgjVi-g J + L 

Proof. Let n be the integer such that n — |[M]]|. If M returns only one out- 
put, we have GE[U](M) = 0. Therefore, M must have more than 1 output as 
GE[U](M) > q. By Lemma 8, we have for any d 

GE[U]{M) = ^-UB + {n-if) 

where i = E o£ o\{</} l H °l and B = E oe o\{o'} Bcca us« GS[C/](M) > q, 

we have z > q. Then, we have 

GE[U](M) >q iff i - 2±£. > q 



By the definition of M, we have VM'.JM']] C [[M]] => G£[£/](M') < q. Let 
[M] = [[M]] \ {(h', d)} where M(/i') = d. Then, we have 

GE[U](M)<q iff <9 



Hence, we have 

B + i 2 B + i 2 

2{i-q) <n -2( l -q) +L 

Because B = X)oeQ\{o'} Po| 2 and i = X)oeo\{o'} Po|> the largest n occurs when 
B = i 2 . That is, when M has exactly two outputs. Therefore, it suffices to prove 
the lemma for just such M's. 

Now, we prove |[M]| < Lftftl^J + 1- Recall that i = E oe o\{o'} Let 
j = n — i. We have 

G£[£/](M) = i-£(i 2 + i 2 ) 

> q 

This means that j > q. Recall that [[M]] = [[M]] \ {(h',o')} where M(fc') = o'. 
Then, we have 

GE[U]{M)<q iff i-^ <q 
iff n < S- + 1 

— 2— q 

Because n is an integer, we have n < + 1 and n < |_^— J + 1. Let / = 

■2 „-2 

+ 1 = + 1. By elementary real analysis, it can be shown that for integers 
i and j such that i > q and j > q, f attains its maximum value when i = [q\ + 1 
or j = [q\ + 1. Therefore, it follows that |[[M]]| = n < L [gj+i-g ^ + L 

Lemma 11. Let q > i. Lef M 6e a program without low-security inputs such 
that GE[U](M) > q. Then, there exists T such that 

-TC [M] 

_ | T | < L|^i+H!j + 1 

- GE[U](M') > q where [M'J = T. 

Proof. Let g > |. Let M be a program such that GE[£/](M) > By Lemma 9 
and the fact that GE[U]{M) is bounded by U^i, there exists T such that 

- T C [M] 

- GE[U]{M') > q where [[M'J = T 

- VT' C T.GE[U](M) < q where [M] = T. 

By Lemma 10, wc have |T| < L L<?J +i— g -I ^' Therefore, we have the conclusion. 

Theorem 5. Le£ q be a constant, and suppose Bqe[U] only takes programs 
without low security inputs. If q > \, then, Bge[U] is L Lgj +i— g -I l~ sa / e ^/> 

&wi it is not k-safety for any k < L j^gj 4^1— g J • Otherwise, q < \ an< ^ Bge[U] is 
2- safety, but it is not 1-safety. 



Proof. First, we prove that Bqe\U] for programs without low-security inputs is 
L [gj+i-q J + 1-safety for q > |. By the definition of fc-safcty, for any M such that 
M g Bqe[U], there exists T such that 

1. TC [MJ 

2. |T| < |f2i±i)!j + 1 

3. VM'.T C \M'\ M' g Bqe [U] 

We show that if M ^ -BGfi[t/], then there exists T such that 

- T C [M] 

- \T\<[\^ q \+l 

- GE[U]{M') > q where [[M']] = T. 

Note that GS[C/](M') > and Lemma 9 imply the condition 3 above. Suppose 
that M £ B GE [U]. Then, by Lemma 11, there exists T C [[M]] such that |T| < 

Lftj^J + 1. and Gi?[C/](M') > g where [[M']] = T. 

Next, we prove Bgb[(7] for programs without low-security inputs is not k- 
safety for any k < L jjjjjppj^ J- For a contradiction, suppose _Bgb[^] is a k-safety 
property. Let M be a program such that 

M(/n) - o, M(/i 2 ) = o, . . . , M(hi) = o, 
M(h i+1 ) = of, M{h l+2 ) = </,..., M(h n ) = d 

where hi, hi, ■ ■ ■ h n , and o, o' arc distinct, n = L [gj +i— g -I ^' and * = L^J Let 
M = {h\o = M(h)} and and H , ={h\o' = M(h)}. By Lemma 8, we have 

GE[U](M) = % -X(|H |2 + |e H 2 ) 
= < "^ 

Let p = L^J + 1. If [qj+i-g i s an integer, then we have 
GE[U]{M)=p-^ 
= P- 



p 2 +p-q 

p—q n 



_ Q / (p-g) , ]\ 

> q 

The last line follows from p 2 q + pq — q 2 = p 2 q + q(p — q) > 0. 

Otherwise, we have Lf^J + 1 = [{^1 > fj^. And, 

GE[U]{M)=p--X- 

I p-q 



Hence, we have GE[U]{M) > q. Therefore, M B GE [U\. Then, there exists T 
such that \T\ <k,T C [[M]], and for any M' such that T C [[M'J, M' £ G e[fT]- 
Let M be a program such that [M] = T. Then, by Lemma 8 and Lemma 9, we 



= q 

It follows that M G B GE [U\. Recall that T C [[M]]. Therefore, this leads to a 
contradiction. 

Next, we prove that Bge[U] is 2-safety for any q < |. It suffices to show that 
Gi?[[/](M) < g iff M is non-interferent, because non-interference is a 2-safety 
property and not a 1-safety property [23, 3, 11]. We prove that if GE[U](M) < q 
then M is non-interferent. The other direction follows from Theorem 1. We prove 
the contraposition. Suppose M is interferent. It must be the case that there exist 
h and b! such that M(h) ^ M(h'). Let o = M(h), and d = M(ti). Let M' be a 
program such that [[M']] = {{h,o), (h',d)}. Note that we have [[M']] C [[M]]. By 
Lemma 9, we have 



It follows that GE[U]{M) > q. 

Lemma 12. Let M be a program that has a low-security input, a high- security 
input, and a low-security output. Then, we have 



where Ol = {(o,£) | 3h.o = M(h,£)}, and L is sample space of the low-security 
input. 

Proof. By the definition of ME, we have 



have 



GE[U](M) < ^ -^(i 2 + (n - 1 - z) 2 ) 





ME\U]{M) =log 



|L| 



MS[C/](M) =log 



1 



log 



1 



V[C/](ff|L) 



V[U](H\0,L) 



where 



V[U]{H\L) = £ 
V[U\(H\0,L) = 1 




|H||L| 



It follows that 



MB [IT] (M) = log 



|L| 



Theorem 6. Lef q be a constant. (And let Bme[U] take programs with low 
security inputs.) Then, Bme\U] is not a k-safety property for any k > 0. 



Proof. For a contradiction, suppose Bme[U] is a k-safety property. Let M be 
a program such that M £ Bme[U]. Then, there exists T such that \T\ < k, 
T C JM], and for any M' such that T C [M'J , M' £ B M b[C/]. Let T = 
{((h\,£\), oi), . . . , ((hi, li), Oi)}. Let M be the following program. 

M(fci,*i) =oi,M(/i2,40 =02,...,M(/i i5 ^)_= o i; 
M(ft i+ i,^ i+ i) = Oi,M(hi +2 ,£ i+ 2) = Oi,.. .,M(h n ,£ n ) = o, t 

where n = |H||L|, and H, L are the high security inputs and the low security 
inputs of M. Then, by Lemma 12, we have 

ME[U](M) = log^ti 
<^ 

Therefore, for any q > 0, there exists L such that ME[U](M) < q and T C [M]]. 
Therefore, this leads to a contradiction. 

Lemma 13. Let M be a program that has a high-security input with sample 
space H, a low-security input with sample space L, and a low-security output. 
Then, we have 

GE[U](M) = H - V |H ,| 2 

L n ; 2 2|H||L| ^ 1 ' 1 

w/iere U oA = {h \ o = M(h,£)}. 
Proof. By the definition, we have 

GE[U](M) = Q[U]{H\L) - G[U}(H\0,L) 

= Ee u(£) J2 h in(\h'.u(h'\e),m, h)u(h\£) 

- Eo i U(o, I) Y. h In(Xh'.U(h'\o, £), M oM h)U(h\o, £) 

= fi 2 ±i -E ,,Kph5l^l(|H. £ | + i) 

_ JH| _ 1 V ITTTT 12 
— 2 2|H||L| l^o,l l^o/l 

Theorem 7. Let q be a constant. (And let Bge[U] take programs with low se- 
curity inputs.) Then, Bqe\U] is not a k-safety property for any k > 0. 

Proof. For a contradiction, suppose Bge[U] is a k-safety property. Let M be 
a program such that M £ Bqe\U]. Then, there exists T such that \T\ < k, 
T C [M], and for any M' such that T C [[M% M' £ B GE [U}. Let T = 
{((hi,£\), oi), . . . , ((hi, li), Oi)}. Let M be the following program. 

M(h u 4) - Oi , M(/i2, 4) = o 2 , . . . , M(hi,li) = Oi, 
M(h l+1 ,l l+1 ) = o l ,M(h l+2 ,l l+2 ) = Oi,...M(h mn ,£ mn ) = o l 

where n = |H| and m = |L|, and H, L are the high security inputs and the low 
security inputs of M. Then, by Lemma 13, we have 

Gi?[[/](M) = f-^E .,|H ,,| 2 

< f -2rb(^ + (™-*)« 2 ) 



Therefore, for any q > 0, there exists L such that GE[U](M) < q and T C [[M]]. 
Therefore, this leads to a contradiction. 

Theorem 8. Let q be a constant and suppose Bse[U] only takes programs with- 
out low security inputs. Then, B$e\U] is not a k-safety property for any k > 0. 

Proof. For a contradiction, suppose Bse[U] is a k-safety property. Let M be 
a program such that M ^ Bse[U]. Then, there exists T such that \T\ < k, 
T C [M], and for any M'_ such that T C \M% M' <£ B SE [U}. Let T = 
{(h\, Oi), . . . , (hi, Oj)}. Let M and M' be the following programs. 

M(fci) = oi, M_(h 2 ) =o 2 ,..., M(hi) = Oi,M(h i+1 ) =o,..., M(K) = o 
M'(h 1 )=d 1 ,M'(h2) = d 2 ,...,M'(h i ) = d i ,M'(h i+1 ) = d,...,M'(h n )=d 

where hi, hi, ■ ■ ■ , h n are distinct, and o[, o' 2 , ■ ■ ■ , o\, and d are distinct. Then, 
we have 

SE[U](M) < SE[U](M') 

= - log n + log -2-7 

Therefore, for any q > 0, there exists M such that 5^[C/](M) < q and T C [MJ. 
Therefore, this leads to a contradiction. 

Theorem 9. Let q be a constant, and suppose Bbei [(U, h}} only takes programs 
without low security inputs. Then, Bbei [{U, h)} is not a k-safety property for any 
k>0. 

Proof. For a contradiction, suppose Bbei [(U, h)] is a fc-safety property. Let M 
be a program such that 

M(/n) = o, . . . , M(h m ) = o, M(h) = d 

where m = [2 q \ , and h,h\, . . . ,h m and o, d are distinct. Then, we have BE[(U, h)](M) = 
log(m + 1) > log2« = q. That is, (M,q) £ B B Ei[(U,h)\. Then, it must be the 
case that there is T such that \T\ < k, T C [[M]], and for any M such that 
T C [[Ml (M,q) £ B B Ei[{U,h}}. Let T - {(h[,o[), (h^o^)}. Let M be the 
following program. 

M(h[) = o[,M(h' 2 ) =d 2 ,..., M{h[) = o\, 
M(h' l+1 ) = d, M(h' i+2 ) =</,..., M(h' n ) = d 

where 

- h[, h' 2 , . . . , h' n are distinct, 

- he{h[,...,h' n }, 

- W, o' 2 , . . . , d % } = {o, d}, and 

- M(h) = d. 



Then, we have 

BE[(U,h))(M) <-log^ 

It follows that there exists n such that BE[(U,h)](M) < q. This leads to a 
contradiction. 

Lemma 14. Let T be a trace such that T = {((hi, £' ), Oi), . . . , ((hi, £' ), o,)} 
where oi , . . . , Oj are distinct. Let M be the program such that [M] = T and M' 
&e a program such that [[M'}} D T. Then, we have max^ BE[(U, h, £)}(M') > 
m^ h , e BE[(U,h,£)}(M). 

Proof. By definition, we have 

max M BE[(U, h,l)\(M) = \ogi 

max M BE[(U,h,£)](M') = max M - log Eh e{h'\M>(h',e)=M'(h,e)}U(h ) 

> maxft - logi7/ loe {/ l /|M'(/i',£')=M'(/i,£')}^(' l o) 

_ !„„ |{fe'|3o.M'(V,£')^ }| 
— 1U & min |{/i'|M'(/i',<')=o}| 

Therefore, it suffices to show that 

\{ti | 3o.M'(h',£') = o}\ > imm{ti \ M'(h',£') = o} 



Then, 



\{ti | 3o.M'(h',e') =o}\ -imin {ti \ M'(h',£')=o} 
>(m-i) min {/i' | M'(ti, £') = o} 
> 



where m = \{o \ 3h.M'(h,£') = o}\. 

Theorem 10. Let q be a constant. If q > 1, then Bbe2[U] is not a k-safety 
property for any k > even when Bbe2[U] only takes programs without low 
security inputs. Otherwise, q < 1 and Bbe2[U] is a 2-safety property, but it is 
not a 1-safety property. 

Proof. First, we show for the case q > 1, Bbe2 [U] is not a fc-safety property for 
any k > 0. For a contradiction, suppose Bbe2[U] is a fc-safety property. Let M 
be the program such that 

M = {hi i — ^ o, . . . , hjyi i — y o, h i — y o'} 

where m = L2 9 J. Then, we have BE[(U, h)](M) = log(m + 1) > log2« = q. That 
is, (M,q) $ Bbeb[U]. Then, it must be the case that there exists T such that 
\T\ < fc, T C [[M]], and for any M' such that T C [M'J, (M', g) ^ S BBS [C/]. Note 
that for any M' such that JM'J C [[M]], \/h.BE[(U, h)](M') < q, and therefore, 
it must be the case that such T must be equal to [[M]]. 
Let M be the following program. 



M(hi) = o, M(h 2 ) = o,..., M(h m ) = o, 
M(h)=o',M(h m+ i) = o l ,M(h m+ 2) = o l ,...,M(h 2m -i) = o' 



where h, h 



!)•■•! 



^2m-i are distinct. 



Then, we have \{ti \ M(h') = o}\ = \{ti \ M(h') = d}\ = m. Therefore, for 



This leads to a contradiction. 

Next, we prove that Bbe2[U] is a 2-safety property for any q < 1. It suffices 
to show that Vh,£.BE[(U,h,£)](M) < q iff M is non-interferent, because non- 
interference is a 2-safety property and is not a 1-safety property [23,3,11]. We 
prove that if \/h,£.BE[{U,h,£)](M) < q then M is non-interferent. The other 
direction follows from Theorem 1. We prove the contraposition. Suppose M 
is interferent. It must be the case that there exist ho, hi, and £' such that 
M(h ,£') ^ M(hi,£'). Let o = M(h ,£'), and d = M{h u £'). Let M' be a 
program such that [[M']] = {((h ,e'),o),((hi,£'),d)}. Note that we have [[M']] C 
[[M]]. By Lemma 14, we have 



It follows that ^(Vh,£.BE[(U, h,£)] < q). 

Theorem 11. Let q be a constant. Then, Bsecc is \ ^ q \ + 1- safety, but it is not 
k-safety for any k < [2 q \ . 

Proof. Trivial from Theorem 3 and the fact that Bsecc is equivalent to Bqc- 

Lemma 15. Let \x be a distribution. Then, for any low-security input I, we have 
mjmaxd n{h,£) > ^ max fc £, o) where me = M[H,f] 



since we have Vo. max;; fj,(h, I) > max^ (i(h, £, o). 
Lemma 2. ma Xfl ME\p](M) = CC{M) 

Proof. The statement was proved for programs without low security inputs by 
Braun et al. [5]. We show that the same result holds for programs with low 
security inputs. 

Let £' be a low-security input such that for any I, my > me where me = 
|M[H, £ ] I- Let [il be a distribution such that V7i.//(/i, £') — — where n is the num- 
ber of high-security inputs. We have CC(M) = ME\p!]{M) = \ogme>- Therefore, 
it suffices to show that for any /it, ME[n'](M) > ME[fj](M). By definition, 



any h! , 



BE[{U,h')](M) 




max BE[{U,h,£)]{M') = 1 < max BE[(U,h,£)](M) 



Proof. 



me max/, n(h, £) - J2o max ?> ^(h, £, o) 

= J2o( max h n(h, I) - max ft fj,(h, £, o)) 
> 



ME[n'](M) = log 
ME[/j](M) =\og- 



Y2 o maxh fi (h,£ ,o) 

maxh fi f (h.£') 
J2j S maxh, Li(h,l,o) 
J2g maxh Li(h,£) 



Therefore, it suffices to show that 

(E G max /i m'O, t', o))(52t max h v(h, £)) 

-(max h ij,'(h,£'))(J2eT,o ma:x hl^(h,£,o)) > 

By Lemma 15, 

(Eo max ?» o))(E<! max,, ^(/i, £)) 

-(max,, ^'(h, E Q max >» ^ °)) 

= ^ E* max /i MM) - ^(E^E max >*MM,o)) 

> ^(Ef max,, - E^ max, £)) 

> 

Therefore, we have ME\p,'](M) > ME[/j](M). 

Theorem 12. Let q be a constant. Then, Bmecc is \% q \ + ^~ sa fcty, but it is 
not k-safety for any k < [2 q \ . 

Proof. Trivial by Theorem 3 and Lemma 2. 

We define the "normal form" of the guessing-entropy-based quantitative in- 
formation flow expression. 

Definition 18 (Guessing entropy QIF Normal Form). Let M be a program 
without low-security input. The guessing- entropy based quantitative information 
flow GE\pt\{M) can be written as the linear expression (over n(hi), . . . , fJ,{h n )) 
^2 i a i ^i(h i ) where ji{h\) > ji{h,2) >■■■> fJ-{h n ), an d each is a non-negative 
integer. We call this expression Ei^M^) the normal form of GE[[i](M). 

Lemma 16. Let M be a program without low-security input. Let Ej CLi^{hi) be 
the normal form of GE[[i](M). Then, for any x such that x < we have 

£«i<^-l)*-^-2)(j-l) 

i<x 

where j = \{h e{h u .. .,h x+1 } \ M(h) = M(h x+1 )}\. 

Proof. By the definition of guessing-entropy-based quantitative information flow, 
we have 

en = i - \{h G {h u ...,hi} | M(h) = M(hi)}\ 
Therefore, we have 

l ~= Ei<x(* - \i h e {hi, ■ ■ ■ M | M(h) = M{h t )}\) 

= t;X(x + 1) — \{j — l)j 

2 - Eie{i'< x \M( hi ,)?M(h x+1 )} \i h e {hi, . • . , M I M(h) = M(hi)}\ 
< \{x-l)x- I(j-2)(j-l) 

where j = \{h G {hi, . . . , h x+1 } \ M(h) = M(ft x+ i)}| 



Lemma 17. Let M be a program without low-security input. Let Ej aifi(hi) be 
the normal form of GE[fj](M). Then, for any x such that x < |H|, we have 
J2t<x a t < xa x+1 . 

Proof. By Lemma 16, we have 

where j = \{h e {hi, . . . ,h x+ i} \ M(h) = M(h x+1 )}\, that is, j = x + 1 - a x+1 . 
Therefore, it suffices to show that \{x — l)x — i(j — 2)(j — 1) < a;a x+ i. Then, 

- \{x l)x + ^(j - 2)(j - 1) = \({x + Z —^L f \) 

By elementary numerical analysis, it can be shown that for integers x and j such 
that x + l > j, \{{x+ ( 3 ~ 2j ) ) 2 — 1) attains its minimum value when x = j — 1. 
Therefore, we have Ei<ir a « — ^x+i- 

Lemma 18. Let M 6e a program without low-security input. Let /i be a distribu- 
tion. Let hi, . . . , h n be such that fi(hi) = /x(/i2) = • • • = fi(hi-i) > fi(hi) > ••• > 
/i(h n ). Let [i' be a distribution such that ^"J-M^iHMM _ n'(hi) = ■ ■ ■ = ji'(hi), 
andVx.x > i => fj,'(h x ) = fJ,(h x ). Then, we have GE\p](M) < GE[n'](M). 

Proof. Let Ej a jM^j) be the normal form of GE[/j](M). By the construction 
of fi', Ej a jM'(^j) i s the normal form of GE[fi'](M). Therefore, 

GE[n']{M) - GE[n](M) 

= Ej OjVCbO - Ej a jV(hj) 

= ( ai + . . . + a .) NM|Mi) _ ( ai + . . . + a^OM/M) - «^(^) 

= - i)oi - - Mfc)) 

where A = ai + ■ • • + o»-i- Since we have (i — l)<ij — (ai + • • • + a,_i) > by 
Lemma 17, and /it(/ii) — > 0, we have 

- l)oj - - n{hi)) > 

Therefore, we have GE[n'](M) > GE[/j](M). 

Lemma 3. We have max M GE[^]{M) = max f GE[U ® £']{M) where U ® £' 
denotes Xh, tif £ = f then C/(/i) else 0. 

Proof. 

ge [fj] (M) = Y,tn W Ei - E^ Eo M*> o) E, *Mfc K, o) 
= Ei M*)(E 4 *M^) - Eo E« o|£)) 
= E«mW<?£[am^)](m(*)) 

By Lemma 18, we have max p GE[y\(M{£)) = GE[U](M(£)). Therefore, we have 
rnaxj, GE\p\(M) = (max* GE[U ® £']{M)) . 



Lemma 19. Let M and M' be programs such that [M']j = [MJ U {((h',£'), o)} 
and (h',£') dom{\Mf). Then, we have max £ GE[U ® £](M) < max £ GE[C/ <g> 
£](M'). 

Proof. By Lemma 9, for any £, we have GE\U®£\{M) < GE[U®£]{M'). There- 
fore, maxi G£[?7 <g> £](M) < max £ GE[U ® £](M'). 

Theorem 13. Let q be a constant. If q > \, then, B GE cc is L [gj+i-^ J + 1~ 
safety, but it is not k-safety for any 
Bqecc is ^safety, but it is not 1-safety. 

Proof. By Lemma 3, (M, q) e B GECC iff max f GE[U ® £'}(M) < q. 22 We prove 
for the case q > \ by a "reduction" to the result of Theorem 5. The case for 
q < \ follows by essentially the same argument. 

First, we show that Bqecc is L [gj+i- g J + 1-safety in this case. By the defi- 
nition of fc-safety, for any M such that M £ Bqecc , there exists T such that 

1. TC [M] 

2. \t\ < ijlaJ+lili +i 

3. VM'.T C [[M }} => M' £ B G£CC 

Suppose that M Bqecc- By Lemma 3, it must be the case that there exists £' 
such that max,, GE[^](M) = G£'[C/](M(f )). Then, by Lemma 11, there exists 

T C [[M(f )]] such that \T\ < L [gj+i-g ^ + 1 ' and C^K^O > 1 whcrc = 
T. Let V = {((h,£'),o) \ (h,o) G T}. Then, we have GE[U](M") > q where 
lM"j = T'. Finally, by Lemma 19, we have that for any M' such that T C [[M']], 

M' £ Bgbcc, and so Bqecc is L ^j J + + i-J + i" 8 ^- 

To see that Bqecc is not fc-safety for any k < L Lgf +i— g -I ' reca U Theorem 5 
that Bqe[U] is not fc-safety for such fc (even) for low-security- input-free pro- 
grams. Therefore, the result follows by Lemma 3. 

Theorem 14. (M,q) G BBEicc[h,£] iff M{£) is non-interferent. 

Proof. We prove that if W^.BE[(^i, h, £)]{M) < q then M{£) is non-interferent. 
The other direction follows from Theorem 1. We prove the contraposition. Sup- 
pose M{£) is interferent, that is, there exist ho and h\ such that M(ho,£) ^= 
M{hi,£). If M{h,£) ^ M(hi,£), then let fj,' be a distribution such that //(hi) 
I — Y5Ff+T- Otherwise, let // be a distribution such that //(ho) = 1 — psj+r- 
Then, we have 

B£[(^M}](M)>log(L2«J+l)> ? 
Theorem 15. (M,q) G Bbe2CC iff M is non-interferent. 

Proof. Straightforward from Theorem 14 and the fact that a program M is non- 
interferent iff for all £, M(£) is non-interferent. 

22 Therefore, for programs without low security inputs, this theorem follows from The- 
orem 5. But, we show that the theorem holds also for programs with low security 
inputs. 



SW = 

case {H',ij),H) 
when (true, true, _) then O := true; O' := true; O" := true 
when (true, false, _) then O := H; O' := true; O" := false 
when (false, _, true) then O := true; O' := false; O" := false 
else 
if Hi 

then ~3 := true; O' := true; O" := true 
else ~3 := II; O' := false; O" := false 

where H', H = Hi, . . . , H n , and O', O", O are distinct. 

Fig. 3. The Boolean Program for Lemma 20 and Theorem 16. 



Notation In the proofs below, for convenience, we sometimes use large letters 
H, L, O, etc. to range over boolean variables as well as generic random variables. 
Also, wc assume that variables H, H', Hi, etc. arc high security boolean variables 
and L, L', Li, O, 0\, Oi, etc. are low security boolean variables. 

Majority SAT The following PP-hardness results (Theorems 16, 17, 18, 19, 20, 
21, 23, and 24) are proven by a reduction from MAJSAT, which is a PP-completc 
problem. MAJSAT is defined as follows. 

MAJSAT = {(p | #SAT(4>) > 2"" 1 } 

where n is the number of variables in the boolean formula <f>, and #SAT(cj>) is 
the number of satisfying assignments of (f>. 

Lemma 20. Let and H' be distinct boolean random variables. Let n and m 
be any non-negative integers such that n < 2' and m < 2' ' . Let (f> m (resp. (f> n ) 
be a formula over H having m (resp. n) satisfying assignments. Then, n < m iff 
SE[U]{M m ) < SE[U]{M n ). where M n = S(4> n ), M m = S((f> m ), and S is defined 
in Figure 3. 23 

Proof. First, we explain the construction S(tp) of Figure 3. Here, we use ML-like 
case statements (i.e., earlier cases have the precedence). It is easy to see that 
the c ase s tatements can be written as nested if-then-else statements. Note that 
O = true, O' — true, and O" — true iff either H' A tp, or H' A Hi and at least one 
of H2, ■ ■ ■ , H n is false. For other inputs, S(ip) returns disjoint outputs. Therefore, 
the number of inputs h such that S(ip)(h) = true is #5AT(^) + 2l^l" 1 - 1, and 
for the rest of the 2^l +1 - (#SAT(ip) +2l^l" 1 - 1) inputs, S{tp) returns disjoint 
outputs different from true. 

23 The encoding S is defined so that MAJSAT is reduced to a bounding problem with 
a rational upper-bound q in Theorem 16 below. A simpler encoding is possible if we 
were to do a reduction with a non-rational q. 



Therefore, 

SE[U](M n ) = log ^fS-r + 2 '-"+ 2 + r 1+1 log 2*+* 

5^[c/](M ro ) = "+ 2 ;;;- 1 bg + ^tr 1+1 io g 2^ 

where a; = 



Suppose n < m < 2^1. Let x = and let p and q be positive real numbers 
such that p = n+ ^+ 1 1 " 1 and g = TO+ 2 2 J+ 1 1 " 1 . We have < p < q < \. 
Therefore, 

SE[U](M n ) - SE[U](M m ) 

= p log i + (1 - p) log - q log i - (1 - q) log 2* +1 
>plog(§) + («-p)]Qg2*+ 1 
> 



We prove the contraposition. Suppose m < n < 2^1 . Let x = \~$\, and let p 
and q be positive real numbers such that p = " +2 X+1 -1 and q — m+ ^ +i 
We have < q < p < \. Therefore, 



SE[U]{M m ) - SE[U]{M n ) 

= log(i)9 + logpf + ((1 - q) - (1 - p)) log 2* +1 
>Iog(|)«+logp9 + (p-g) log 2*+* 

> (p-g)log2 x+1 

> 

Theorem 16. PP C _B SB [[/] 

Proof. Let be a boolean formula. Let V be a boolean formula such that 
#SAT(ip) = 2 n ~ 1 + 1 where n is the number of variables in <f). Let q be the 
number such that 

q = SE[U](SW) 

_ 2"- 1 + l+2"- 1 -l i 2" + 1 , 2"-(2"- 1 + l)+2"- 1 + l , „„+! 
- 2^ l0 S 2"- 1 + l+2"- 1 -l H 2^ io g ^ 

1 , Tt+1 

2 ' 2 

where 5 is defined in Figure 3. Then, 

(%>),<?) e B SE [U](S(4>)) iff SE[U]{S(<f>)) < SE[U](S(ijj) 

iff #SAT{cj)) > #SAT{iP) 
iff e MAJSAT 

by Lemma 20. Therefore, we can decide if G MAJSAT by deciding if SE[U] (S(<f>)) < 
q. Note that the boolean program S(<j>) and q can be constructed in time poly- 
nomial in the size of <f>. Therefore, this is a reduction from MAJSAT to Bse[U]. 



T(4>) = 
if V if' 

then Of := true; ~3 := false 

else Of := false; O :=~H 

where if and if' are distinct, and Of and O arc distinct. 

Fig. 4. The Boolean Program for Lemma 21, Lemma 22, and Theorem 17 

Lemma 21. Let if and H' be distinct boolean variables. Let <p be a boolean 
formula. Then, we have ME[U](T((f>)) = log(# S AT (-xfi) + 1) where T is defined 
in Figure 4- 

Proof. It is easy to see that the number of outputs of T(<fi) is equal to the number 
of satisfying assignment to -></> plus 1. Therefore, it follows from Lemma 12 that 
ME[U](T{<P)) = log{#SAT{-*j>) + 1). 

Lemma 22. Let if and H' be distinct boolean random variables. Let m and n 
be any non-negative integers such thatm < 2' I andn < 2' L Let <f> m (resp. <f> n ) 
be a formula over if having m (resp. n) satisfying assignments. Then, n < m 
iff ME[U]{M m ) < ME[U](M n ). where M n = T(0„), M m = T{^ m ), and T is 
defined in Figure 4- 

Proof. By Lemma 6, Lemma 7, and Lemma 21, we have ME[U](T(<f> m )) < 
ME[U](T{<p n ))) iff log(2l^l - m + 1) < log(2l^l - n + 1) iff n < m. 

Theorem 17. PPCB M e[U] 

Proof. Let be a boolean formula. Let ip be a boolean formula such that 
#SAT(ip) = 2 n ~ 1 + 1 where n is the number of variables in (f>. Let q be the 
number such that 

q = ME[U](T(4>)) = log(2" - (2™- 1 + 1) + 1) = n - 1 

where T is defined in Figure 4. Then, we have 

ME[U]{T{4>)) < g iff ME '[U](T '(<£)) < AfB[{7] (T(ip)) 
iff e MAJSAT 

by Lemma 22. Therefore, we can decide if G MAJSAT by deciding if ME [U] (T ((/>)) < 
q. Note that T((f>) and g can be constructed in time polynomial in the size of <f>. 
Therefore, this is a reduction from MAJSAT to Bme\U\. 

Definition 19. Let M be a function such that M : A — > B. For any oel, we 
write Af _1 (o) to mean 

M- 1 {o) = {i^K\o = M{i)} 



Lemma 23. Let It and H' be distinct boolean random variables. Let n and m 
be non-negative integers such that n < 2^1 and m < 2^1. Let 4> m (resp. (f> n ) be 
a formula over if having m ( resp. n ) satisfying assignments. Then, m < n iff 
GE[U]{M n ) < GE[U}{M m ). where M n = O := <p n WH' and M m = O := <j> m \/H'. 

Proof. By the definition, 

GE[U](M) = Q{H) - Q{H\0) 

= h( 2im+1 ) + 1 2-EoEi< i < l H l mhi,o) 

= 2' ff l - ^(IM-Htrue)! 2 + \M~' (false) | 2 ) 

Therefore, we have 

GE[U](M n ) < GE[U](M m ) 

iff 

IM-^true)! 2 + IM-^false)! 2 < ^(true)! 2 + ^(false)! 2 

iff m < n. 

Theorem 18. PPCB GE [U] 

Proof. Let be a boolean formula. Let V be a boolean formula such that 
#SAT(ijj) = 2 n ~ 1 + 1 where n is the number of variables in <f>. Let q be the 
number such that 

q = GE(0 := ipW H) 
= ^ - ^(iM-^true)! 2 + IM-Hfalse)! 2 ) 
= 2" - 1 ^((2"- 1 + l) 2 + (2"- 1 - l) 2 ) 

where H is a boolean variable that does not appear in ip and <j). Then, we have 

GE[U](0 := <f> V H) < q iff GE[U}(0 :=<j>\/H)< GE[U}(0 :=ipVH) 
iff GE[U}(0 :=(j)VH)<q 
iff #SAT{4>) > ffSAT{^) 
iff G MAJSAT 

by Lemma 23. Therefore, we can decide if <f> S MAJSAT by deciding if GE[U](0 := 
<fi V H) < q. Note that O := 4>V H and q can be constructed in time polynomial 
in the size of <j>. Therefore, this is a reduction from MAJSAT to Bqe\U\. 

Theorem 19. PP C B C c 

Proof. Straightforward from Lemma 6 and Theorem 17. 

Lemma 24. Let ~pt , H' , and H" be distinct boolean random variables. Let n 
and m be any non-negative integers such that n < 2^1 and m < 2'^L Let (j> m 
(resp. (f> n ) be a formula overll having m (resp. n) satisfying assignments. Then, 
n <m iff maxft BE[(U,h)](M m ) < max fc BE[(U, h)]{M n ), where M n = V(i> n ), 
M m = V((f)m), and V is defined in Figure 5. 24 

24 As in Lemma 20, the encoding is chosen so as to reduce MAJSAT to the bounding 
problem with a rational upper-bound. 



vy>) = 

case (H',H",H) 
when (true, true, _) then 

if tp then O := true else O := false 
when (true, false, true) then O := false 
when (true, false, _) then 

if Hi then O := true else O := false 
else O := false 

where = Hi, ... , Hy L is the vector of variables appearing in tp, and i?, if', 
and H" are distinct. 

Fig. 5. The Boolean Program for Lemma 24, Theorem 20, and Theorem 21. 



Proof. First, we explain the construction V(^>) of Figure 5. Note that V(tp) = 
true iff either H'AH"Atp, or H' A~>H" AHi and at least one of H 2 , ...,H n is false. 
Therefore, there are strictly more inputs h such that V(tp)(h) = false than inputs 
h such that V(tp)(h) = true. Hence, max h BE[(U,h)](V(ip)) = BE[(U,h')](V(tp)) 
where h' is any input such that V(tp)(h') = true. 
Now, let x = 0\ . Then, 

max,, BE[(U, h)]{M n ) = log n J*ti_i 
max h S^[((7, h)]{M m ) = log m+ 2 2 l + _ 2 I _ 1 

Therefore, n < m iff max,, B£[(t7, /i)](M m ) < max,, B£[(E7, ft)](M n ). 

Theorem 20. C B BE1 [{U, h, £)} 

Proof. Let be a boolean formula. Let tp be a boolean formula such that 
#SAT(tp) = 2"~ 1 + 1 where n is the number of variables in <j>. Let q be the 
number such that 

2™+ 2 

4 = BE[(U, h)]{Vm = log 2 „_ 1 + 1 + 2 „_ 1 _ 1 = 2 

where is defined in Figure 5, h is a high security input such that /i(-ff' ) = true, 
h(H") = false, h(Hi) = true, and /i(if 2 ) = false. Note that V(tp)(h) = V(<p)(h) = 
true. Then, we have 

(V(<f>),q) e B BBi [(f/,/i)] iff maxv B£[<£7, < q 

iff max/,/ BE[(U,h')](V((p)) 

<max h , BE[{U,h')](V{i>)) 
iff #SAT(<p) > #SAT(iP) 
iff e MAJSAT 



by Lemma 24, and the fact that max^ BE[(U, h')](V(<j>)) = BE[(U,h)](V(<t>)) 
and max h 'BE[(U, h')}(V (tp)) = BE[{U, h)](V(ip)). Therefore, we can decide if 



4> e MAJSAT by deciding if BE[{U,h)](V(4>)) < q. Note that V(cf>) and q can 
be constructed in time polynomial in the size of <j> (in fact, q is just the constant 
2). Therefore, this is a reduction from MAJSAT to B BE1 [(U, h)]. 

Theorem 21. PPCB BE2 [U] 

Proof. Let be a boolean formula. Let ip be a boolean formula such that 
#SAT(ip) = 2"~ 1 + 1 where n is the number of variables in <j>. Let q be the 
number such that 

2™+ 2 

q = m^BE[(U, h)]{Vm = log 2 „_ 1 + 1 + 2Tt _ 1 _ 1 = 2 

where V is defined in Figure 5. We have 

(V(4>),q) £ B BEZ [U] \Suvs^ h BE[{U,h)]{V{4>)) < q 

iff max ft < max ft Sf?[(t7, 

iff #SAT{4>) > #SAT(tP) 
iff e MAJSAT 

by Lemma 24. Therefore, we can decide if <j) £ MAJSAT by deciding if max t BE[(U, h)](V (</>)) < 
q. Note that V(<^>) and q can be constructed in time polynomial in the size of <fi 
(in fact, q is just the constant 2). Therefore, this is a reduction from MAJSAT 
to B BE2 [U\. 

Theorem 22. PP C B SBCC 

Proof. Trivial from Theorem 19 and the fact that Bs E cc is equivalent to i?co 
Theorem 23. PP C B MBCC 

Proof. Straightforward from Lemma 2 and Theorem 19. 
Theorem 24. PPC B GEC c 

Proof. Straightforward from Lemma 3 and Theorem 18. 

We have shown in a previous work [32] that checking non-interference for 
loop-free boolean programs is coNP-complete. 

Lemma 25. Checking non-interference is coNP- complete for loop-free boolean 
programs. 

Theorem 25. B BE1 cc[h^\ * s coNP- complete. 

Proof. Straightforward from Lemma 25 and Theorem 14. 

Theorem 26. Bbeucc * s coNP- complete. 

Proof. Straightforward from Lemma 25 and Theorem 15. 



